summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorpalmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-12-18 21:36:22 +0000
committerpalmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-12-18 21:36:22 +0000
commit2e8d5349774ea29838981d42d6a8d7f648956fdd (patch)
treecc46976fd2bb6b8eb16c48854a62252c56f1dd52 /net
parent0c42122fa9e1f8eae86c4e28a2439a3033047f12 (diff)
downloadchromium_src-2e8d5349774ea29838981d42d6a8d7f648956fdd.zip
chromium_src-2e8d5349774ea29838981d42d6a8d7f648956fdd.tar.gz
chromium_src-2e8d5349774ea29838981d42d6a8d7f648956fdd.tar.bz2
Distinguish STS observation times from PKP observation times.
Formerly, there was one time, called "created". "Observed" is more accurate. This part of the overall effort to distinguish HSTS policies from key pinning policies. BUG=249481 Review URL: https://codereview.chromium.org/18554002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@241656 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/http/transport_security_persister.cc28
-rw-r--r--net/http/transport_security_state.cc27
-rw-r--r--net/http/transport_security_state.h12
3 files changed, 49 insertions, 18 deletions
diff --git a/net/http/transport_security_persister.cc b/net/http/transport_security_persister.cc
index 771d07d..39ac8df 100644
--- a/net/http/transport_security_persister.cc
+++ b/net/http/transport_security_persister.cc
@@ -79,6 +79,8 @@ const char kStrict[] = "strict";
const char kDefault[] = "default";
const char kPinningOnly[] = "pinning-only";
const char kCreated[] = "created";
+const char kStsObserved[] = "sts_observed";
+const char kPkpObserved[] = "pkp_observed";
std::string LoadState(const base::FilePath& path) {
std::string result;
@@ -148,7 +150,8 @@ bool TransportSecurityPersister::SerializeData(std::string* output) {
domain_state.sts_include_subdomains);
serialized->SetBoolean(kPkpIncludeSubdomains,
domain_state.pkp_include_subdomains);
- serialized->SetDouble(kCreated, domain_state.created.ToDoubleT());
+ serialized->SetDouble(kStsObserved, domain_state.sts_observed.ToDoubleT());
+ serialized->SetDouble(kPkpObserved, domain_state.pkp_observed.ToDoubleT());
serialized->SetDouble(kExpiry, domain_state.upgrade_expiry.ToDoubleT());
serialized->SetDouble(kDynamicSPKIHashesExpiry,
domain_state.dynamic_spki_hashes_expiry.ToDoubleT());
@@ -211,7 +214,6 @@ bool TransportSecurityPersister::Deserialize(const std::string& serialized,
}
std::string mode_string;
- double created;
double expiry;
double dynamic_spki_hashes_expiry = 0.0;
TransportSecurityState::DomainState domain_state;
@@ -271,13 +273,27 @@ bool TransportSecurityPersister::Deserialize(const std::string& serialized,
domain_state.upgrade_expiry = base::Time::FromDoubleT(expiry);
domain_state.dynamic_spki_hashes_expiry =
base::Time::FromDoubleT(dynamic_spki_hashes_expiry);
- if (parsed->GetDouble(kCreated, &created)) {
- domain_state.created = base::Time::FromDoubleT(created);
+
+ double sts_observed;
+ double pkp_observed;
+ if (parsed->GetDouble(kStsObserved, &sts_observed)) {
+ domain_state.sts_observed = base::Time::FromDoubleT(sts_observed);
+ } else if (parsed->GetDouble(kCreated, &sts_observed)) {
+ // kCreated is a legacy synonym for both kStsObserved and kPkpObserved.
+ domain_state.sts_observed = base::Time::FromDoubleT(sts_observed);
} else {
- // We're migrating an old entry with no creation date. Make sure we
+ // We're migrating an old entry with no observation date. Make sure we
// write the new date back in a reasonable time frame.
dirtied = true;
- domain_state.created = base::Time::Now();
+ domain_state.sts_observed = base::Time::Now();
+ }
+ if (parsed->GetDouble(kPkpObserved, &pkp_observed)) {
+ domain_state.pkp_observed = base::Time::FromDoubleT(pkp_observed);
+ } else if (parsed->GetDouble(kCreated, &pkp_observed)) {
+ domain_state.pkp_observed = base::Time::FromDoubleT(pkp_observed);
+ } else {
+ dirtied = true;
+ domain_state.pkp_observed = base::Time::Now();
}
if (domain_state.upgrade_expiry <= current_time &&
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 2515a4b..e6c5b42 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -199,15 +199,22 @@ void TransportSecurityState::DeleteAllDynamicDataSince(const base::Time& time) {
DCHECK(CalledOnValidThread());
bool dirtied = false;
-
DomainStateMap::iterator i = enabled_hosts_.begin();
while (i != enabled_hosts_.end()) {
- if (i->second.created >= time) {
+ if (i->second.sts_observed >= time && i->second.pkp_observed >= time) {
dirtied = true;
enabled_hosts_.erase(i++);
- } else {
- i++;
+ continue;
+ }
+
+ if (i->second.sts_observed >= time) {
+ dirtied = true;
+ i->second.upgrade_mode = DomainState::MODE_DEFAULT;
+ } else if (i->second.pkp_observed >= time) {
+ dirtied = true;
+ i->second.dynamic_spki_hashes.clear();
}
+ ++i;
}
if (dirtied)
@@ -614,7 +621,7 @@ bool TransportSecurityState::AddHSTSHeader(const std::string& host,
domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
else
domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
- domain_state.created = now;
+ domain_state.sts_observed = now;
domain_state.upgrade_expiry = now + max_age;
EnableHost(host, domain_state);
return true;
@@ -635,7 +642,7 @@ bool TransportSecurityState::AddHPKPHeader(const std::string& host,
&max_age, &domain_state.pkp_include_subdomains,
&domain_state.dynamic_spki_hashes)) {
// TODO(palmer): http://crbug.com/243865 handle max-age == 0.
- domain_state.created = now;
+ domain_state.pkp_observed = now;
domain_state.dynamic_spki_hashes_expiry = now + max_age;
EnableHost(host, domain_state);
return true;
@@ -657,7 +664,7 @@ bool TransportSecurityState::AddHSTS(const std::string& host,
if (i != enabled_hosts_.end())
domain_state = i->second;
- domain_state.created = base::Time::Now();
+ domain_state.sts_observed = base::Time::Now();
domain_state.sts_include_subdomains = include_subdomains;
domain_state.upgrade_expiry = expiry;
domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
@@ -680,7 +687,7 @@ bool TransportSecurityState::AddHPKP(const std::string& host,
if (i != enabled_hosts_.end())
domain_state = i->second;
- domain_state.created = base::Time::Now();
+ domain_state.pkp_observed = base::Time::Now();
domain_state.pkp_include_subdomains = include_subdomains;
domain_state.dynamic_spki_hashes_expiry = expiry;
domain_state.dynamic_spki_hashes = hashes;
@@ -825,9 +832,11 @@ void TransportSecurityState::AddOrUpdateEnabledHosts(
TransportSecurityState::DomainState::DomainState()
: upgrade_mode(MODE_DEFAULT),
- created(base::Time::Now()),
sts_include_subdomains(false),
pkp_include_subdomains(false) {
+ base::Time now(base::Time::Now());
+ sts_observed = now;
+ pkp_observed = now;
}
TransportSecurityState::DomainState::~DomainState() {
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index 97b4d7c..3511b69 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -95,10 +95,16 @@ class NET_EXPORT TransportSecurityState
UpgradeMode upgrade_mode;
- // The absolute time (UTC) when this DomainState was first created.
+ // The absolute time (UTC) when the |upgrade_mode| was observed.
//
- // Static entries do not have a created time.
- base::Time created;
+ // TODO(palmer): Perhaps static entries should have an "observed" time.
+ base::Time sts_observed;
+
+ // The absolute time (UTC) when the |dynamic_spki_hashes| (and other
+ // |dynamic_*| state) were observed.
+ //
+ // TODO(palmer): Perhaps static entries should have an "observed" time.
+ base::Time pkp_observed;
// The absolute time (UTC) when the |upgrade_mode|, if set to
// UPGRADE_ALWAYS, downgrades to UPGRADE_NEVER.
generated by cgit v1.1 at 2025-02-05 14:54:49 +0000